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CHAPTER 6 


The role of corporate governance in macro-prudential 
regulation of systemic risk 


6.1 Introductory overview 


Global regulators only began to think programmatically about systemic risk when 
the enormity of the GFC’s damage to the financial system became clear. Before 
then, a handful of systemic events in US financial history after the introduction 
of FDIC insurance periodically focused attention on the topic. Systemic failures 
had been a recurring staple of the period prior to the inception of FDIC insurance, 
leading eventually to the creation of the Federal Reserve System in 1913. The 
term “TBTF’ originated with the failure of Continental Illinois National Bank in 
1984, the largest bank failure until the GFC.' However, an extended period of 
stable economic growth in the US since the 1980s, known as the ‘Great Modera- 
tion’, helped downgrade financial instability to a secondary concern of regulators 
and other policymakers. 

The country’s experience in the GFC and Great Recession fundamentally 
reshaped prudential regulation and bank supervision. Broadly, Basel and US pol- 
icymakers have chosen three avenues for mitigating the risks of future financial 
crises. First, the GFC revealed severe deficiencies in risk management, which 
post-crisis regulation and supervision have sought to remedy. The current chap- 
ter covers this aspect of post-crisis reform. Second, policymakers have extended 
Basel’s capital adequacy framework to macro-prudential regulation in an effort 
to compel financial conglomerates to internalize their systemic footprint. The 
‘capital approach’ is the subject of Chapter 7. Third, policymakers have adopted 
a ‘structural approach’ to reduce systemic risk? by proscribing or walling off 
certain activities deemed unduly risky, requiring financial conglomerates to 


1 The US government bailed out Continental Illinois by extending deposit insurance to all of the 
bank’s depositors and bondholders. The FDIC estimated that nearly 2,300 banks had invested in the 
bank and that nearly half of these in amounts greater than the FDIC deposit insurance limit. Renee 
Haltom, ‘Failure of Continental Illinois’ (22 November 2013), Federal Reserve Bank of Richmond’, 
at <www.federalreservehistory.org/essays/failure_of continental _illinois>. Such risky behavior 
reflected the absence of meaningful bank risk management at the time. 

2 The use of the term ‘structural approach’ does not imply that Dodd-Frank’s structural regula- 
tion is an innovation in regulatory policy, only that the new legislation adopted novel mechanisms 
to achieve its regulatory objectives. Limitation on bank activities to contain systemic risk, such as 
activities ‘closely related to banking’, has a long history beginning from the outset of bank regulation. 
John Coates, “The Volcker rule as structural law: implications for cost-benefit analysis and adminis- 
trative law’ (2015), 10(4) Capital Markets Law Journal 447, 449. Coates defines a structural law as 
a law that bans certain otherwise unobjectionable behavior in order to increase desirable behavior or 
to simplify supervision of risky behavior. Ibid. 448. 
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prepare ‘living wills’, and enhancing resolution mechanisms for failing systemi- 
cally important firms, the subject of Chapter 8. 

The chapter proceeds as follows. After discussing key concepts relating to 
systemic risk such as TBTF, it turns to the GFC. To lay a foundation for under- 
standing Dodd-Frank’s approach to tackling systemic risk, it examines three 
periods: the period preceding the crisis during which firms’ deficient risk man- 
agement practices prepared the ground for the severity of the financial crisis 
when it occurred; the liquidity and credit crisis; and the Great Recession, which 
this chapter denotes as Phase I, II, and III, respectively. The chapter indicates 
the regulatory responses with respect to each phase. It then turns to recent FRB 
regulatory guidance on the role of large BHCs’ boards and senior and line man- 
agement, risk committee requirements, and the LISCC program whose objective 
is to improve firm-wide risk management and compliance of the largest BHCs. 


6.2 The role of the GFC in the formulation of macro-prudential regulation 


This section lays the groundwork for understanding the rationale and structure of 
macro-prudential regulation, the associated regulatory expectations for risk man- 
agement and compliance, and the capital and structural approaches to systemic 
risk in later chapters. 


6.2.1 Definitions and concepts 


Definitions matter in understanding financial crises. Because of their widespread 
impact on the general economy, financial crises invariably become politicized 
and laden with loosely chosen jargon.’ This is particularly the case with the GFC, 
one of the most momentous and controversial events in US and global financial 
history. This section discusses the concepts of financial crises, banking crises, 
systemic risk, shadow-banking, and TBTF. Such discussion, in turn, should lead 
to a sounder understanding of the factors contributing to the GFC that condi- 
tioned policymakers’ approach to systemic risk in Basel III and Dodd-Frank and 
their regulatory expectations for risk management and compliance. 


6.2.1.1 Banking crises as a subset of financial crises 

By definition, this book’s focus is on banking crises. In a recent, timely, and 
comprehensive treatment, Carmen Reinhart and Kenneth Rogoff employ both 
quantitative and qualitative criteria in their lengthy, empirical taxonomy of finan- 
cial crises, including banking crises.* According to Reinhart and Rogoff, the 
antecedents and aftermath of banking crises share common patterns of housing 


3 Depending on one’s political persuasion, Dodd-Frank, which was overwhelmingly passed on a 
partisan basis, is either an ‘anti-bailout’ law ending ‘TBTF’ (the Democrats’ view), or a bailout law 
(the Republican view). 

4 Carmen Reinhart and Kenneth Rogoff, This Time Is Different: Eight Centuries of Financial 
Folly (Princeton University Press: 2009) 3 [This Time Is Different]. Their categories of financial 
events include sovereign debt default, banking, inflationary, and exchange-rate crises. 
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and equity prices, unemployment, declining government revenues, and high lev- 
els of debt.’ Financial crises, including banking crises, by their nature last an 
extended period of time. Among other things, asset market collapses are deep 
and prolonged, and the aftermath of a financial crisis is associated with profound 
declines in output and employment and an explosion of government debt.° All of 
these were true of the GFC. Banking crises by definition involve runs on banks 
due to their fragile business model of liquidity transformation. Banking crises 
also cannot be adequately understood without first understanding systemic risk. 


6.2.1.2 Two theories of the causes of systemic risk 

The term ‘systemic risk’ has import that extends well beyond academic theory. 
The concept is integral to the regulatory framework established under Basel III 
and Dodd-Frank. However, an absence of a clear understanding of systemic risk 
complicates identification of its causes, its measurement, and ultimately its reg- 
ulation. The measurement of systemic risk is within the remit of the FSOC and 
FRB, but scholars and policymakers have only recently begun to develop meth- 
odologies to gauge this risk. This perhaps reflects the uniqueness of the genesis 
of each financial crisis. The FRB has endeavored to measure systemic risk as 
reflected in its rule mandating the G-SIB capital surcharge.’ 

In contrast to the issue of the causes of systemic risk, economists, central bank- 
ers, and other policymakers have reached some level of agreement on whether a 
systemic event or events have occurred by considering the effects of disruptions 
in a financial system. Financial disruptions that do not cause significant disrup- 
tions in the real economy are not a systemic risk event.’ This approach focuses 
on the breakdown of financial intermediation that stops the flow of credit to busi- 
nesses and consumers, which is the engine of economic growth and output. 

Consideration of the causes of systemic events have coalesced around two 
approaches. These are first, a simultaneous shock to the financial system, through 
contagion, and second, the interconnectedness of financial institutions,’ which 
transmits the problems of one or a handful of institutions to their counterpar- 
ties. As this book will make clear, Dodd-Frank approaches bank regulation from 
both standpoints but structures its framework primarily based on the concept of 


5 This Time Is Different 223. 

6 Ibid. 224. 

7 § 7.2.2. 

8 Xavier Freixas, Luc Laeven, and José-Luis Peydro, Systemic Risk, Crises, and Macroprudential 
Regulation (MIT Press: 2015) 15 [Systemic Risk and Macroprudential Regulation]. The authors con- 
trast such systemic events with the bursting of the mostly equity-financed dot-com bubble in 2000, 
which did not produce significant adverse effects in the financial system. Ibid. 

9 The treatment in this section draws in part on David VanHoose, ‘Systemic risks and macro- 
prudential bank regulation: a critical appraisal’ (April 2011), Networks Financial Institute, Indiana 
University, 2011-PB-04 [VanHoose, Systemic risks]. In placing systemic risk into two categories, 
VanHoose in turn draws on Craig Furfine, ‘Interbank exposures: quantifying the risk of contagion’ 
(2003) 35 Journal of Money, Credit, and Banking 111—128. See Markus Brunnermeier and others, 
The Fundamental Principles of Financial Regulation (Princeton University Press: 2009) 15-18 
[Brunnermeier, Fundamental Principles], which also classifies systemic risk in this binary manner. 
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interconnectedness. Both transmission mechanisms in combination also likely 
played a role in the GFC." They can be summarized as follows: 


(1) Simultaneous shock to the financial system. First, there may be an exter- 
nal, unexpected shock to the entire financial system, causing simulta- 
neous adverse effects throughout it, and radically disrupting its normal 
functioning in the transmission of funds and credit extension. There is 
a generalized collapse of depositor confidence. Examples are a war in 
the Middle East that causes a severe disruption in oil supply or a cyber- 
attack on the payments system. This theory has been called the ‘panic 
view’, or more specifically ‘illiquidity induced by a contagion of fear’."! 
Closely linked but different in approach is the asymmetric theory of a 
rational, information-based bank run, which ends in the same result — a 
generalized collapse of the financial system. This generalized collapse 
approach encompasses a demand-based concept of decisions of indi- 
vidual depositors acting in concert and with correlated asset strategies, 
known as ‘herding’ behavior.'? 


(2) Interconnectedness. Second, systemic failure may begin with the fail- 
ure of a single financial institution or small group of institutions, which 
is then transmitted throughout the system through a chain reaction, 
commonly called the ‘domino effect’, or more generally ‘intercon- 
nectedness’.'* Moreover, financial institutions trade much more among 
themselves than firms in other industries, particularly in the interbank 
lending and derivatives markets.'* Connectedness occurs on both the 
liability and asset sides of the balance sheet. In its pure form the theory 
assumes stable asset prices in the midst of market turmoil. 


Critics of the domino effect argue that it unrealistically assumes a model of 
passive institutions that do nothing as a sequence of defaults unfolds. In practice, 
firms will take action to protect against unfolding events and liquidity spirals 
spurred by declining asset prices.'> 

The mechanics of interconnectedness failure vary. They typically include 
failures of counterparties to the institutions or group of institutions that initially 
failed. This transmission mechanism relies on closely knit interconnections via, 


10 The GFC illustrates the two channels of contagion: cross-linkages and common shocks. This 
Time Is Different 242. The authors, however, point primarily to contagion and spillover from the US 
to foreign markets as the agent of transmission. Ibid. 

11 VanHoose, Systemic risks 4. 

12 Ibid. at 4-7. 

13 The BIS defines this as the risk that ‘the failure of a participant to meet its contractual obliga- 
tions may in turn cause other participants to default with a chain reaction leading to broader financial 
difficulties’. Bank for International Settlements, 64th Annual Report 177 (1994). 

14 Brunnermeier, Fundamental Principles 4. 

15 Brunnermeier, Fundamental Principles 16. In particular, the domino theory assumes stable 
asset prices whereas prices decline in a liquidity spiral, producing contagious effects on the market 
as a whole. Ibid. 16. 
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e.g., payment obligations, between institutions, or between markets. Counterparty 
failure can disrupt the payments system, the critical plumbing of the financial 
markets. Certain factors can exacerbate the domino effect, such as high leverage 
among the financial institutions in the system, making them vulnerable to coun- 
terparty failures. The interconnectedness approach emphasizes supply-side chan- 
nels regulated by central banks, such as interbank clearings, securities exchanges, 
and foreign currency transfers. A transaction failure between two banks can result 
in settlement failures in a line of financial institutions. '° 

The interconnectedness theory perhaps has the most relevance on the regula- 
tory side. Regulators’ perception of counterparty risk in the midst of a crisis may 
be to assume the importance of interconnectedness without telling evidence. Fear 
of the domino effect in large part prompted regulators globally to rescue many 
large, failing institutions in the GFC. Reflecting regulators’ perceptions and fear 
of the domino effect, Dodd-Frank imposes restrictions on exposure of G-SIBs to 
other SIFIs.'7 


6.2.2 Too big to fail 


TBTF is another concept that Basel III/Dodd-Frank seeks to resolve. This amor- 
phous term means different things to different market participants and commen- 
tators.'* Dodd-Frank systematically addresses TBTF without truly defining it. 
TBTF continues to be a public policy issue because of disagreement over its 
definition and thus the costs and benefits of resolving TBTF firms." Generally, 
difference of opinion centers on two issues: (1) which counterparties are partially 
or fully protected and (2) whether losses in the bailout are funded privately or by 
the government.” The populist furor over taxpayer-funded bailouts in the GFC 
provided a driving force for many of Dodd-Frank’s TBTF provisions. 


6.2.2.1 TBTF and moral hazard 

A unifying theme throughout the TBTF debate is the moral hazard it generates. 
According to the economist George Kaufman, it is not the source of funds such 
as taxpayers that matter in understanding TBTF, but the mere possibility of a 
creditor bailout, which creates moral hazard. US policymakers have established 
a policy of constructive ambiguity to create doubt about bailouts to mitigate the 


16 VanHoose, Systemic risks 7. The Herstatt settlement failure in 1974 was a prime example of 
interconnectedness that had the potential of a systemic event. See § 2.2.1. 

17 A G-SIB’s credit exposure to another SIFI is capped at 15% of its tier 1 capital. 12 CFR § 
252.72(b). 

18 According to the economist George Kaufman, various definitions of TBTF have different pol- 
icy and regulatory implications. These include too complex to fail, too important to fail, too inter- 
connected to fail, too big to liquidate, or too big to prosecute. Franklin Allen and others, ‘Enhancing 
Prudential Standards in Financial Regulations’ (3 December 2014), Harvard Law School Forum on 
Corporate Governance and Financial Regulation, at <https://corpgov.law.harvard.edu/2015/03/16/ 
enhancing-prudential-standards-in-financial-regulations/> 15 [Enhancing Prudential Standards]. 

19 George Kaufman, ‘Too big to fail in banking: What does it mean?’ (2014) 13 Journal of Finan- 
cial Stability 214-223 [Too big to fail in banking]. 

20 Too big to fail in banking 216. 
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moral hazard problem, a policy at play in the GFC. However, the inconsistency in 
the US bailout strategy during the crisis likely contributed to the market turmoil, 
particularly to the chaos following the Lehman bankruptcy.”! 


6.2.2.2 Types of TBTF resolution 
TBTF resolution undoubtedly exists when a firm is insolvent (meaning that net 
worth is negative and thus shareholders are ordinarily wiped out) but a third party 
protects shareholders against loss. All creditors are made whole. Such a bailout is 
one of the least disruptive in financial markets and occurred in the Bear Stearns 
transaction in March 2008.” TBTF more frequently is applied to resolutions in 
which shareholders are not protected, the firm fails, and its assets are sold or liqui- 
dated. Some uninsured depositors and other creditors may be fully or partially paid 
out.” Regulators decide this loss allocation based on their estimated benefits of 
avoiding financial instability against the moral hazard and other costs of protection. 
TBTF and government bailouts in the GFC are intertwined, although, more 
broadly, bailouts do not always involve TBTF institutions, and TBTF bailouts 
do not always involve the government.” As traditionally understood, bailouts 
range from nationalization, explicit infusion of cash through equity investment, 
and government guarantees to purchases of deteriorating assets and shotgun mar- 
riages. However, the Federal Reserve, acting as lender of last resort and provid- 
ing liquidity loans against adequate collateral of solvent financial institutions is 
not a government bailout. 


6.2.2.3 TBTF a phenomenon of the financial sector 
TBTF status is particularly problematic in the financial sector given the fragile 
business model of financial institutions, a feature reflected in banks’ ineligibility 
for resolution under the Bankruptcy Code.” In addition, TBTF is controver- 
sial because by definition bailouts occur outside of the established bankruptcy 
regime, which statutorily ensures that creditor counterparties receive liquidation 
proceeds according to their seniority. TBTF resolution may alter the predeter- 
mined loss allocation scheme of the Bankruptcy Code.” 

Large BHCs’ and other financial conglomerates’ increasing complexity helps 
to cement their TBTF status. TBTF status gives a bank a competitive edge in debt 


21 Enhancing Prudential Standards 16. According to David Skeel, the bailout of Bear Stearns in 
March 2008 set the stage for the turmoil following the Lehman Brothers bankruptcy. David Skeel, 
The New Financial Deal (Wiley: 2010) 31. 

22 JPMorgan Chase acquired Bear Stearns as an ongoing entity, paying its shareholders $10 per 
share. 

23 Too big to fail in banking 215. 

24 The S&L rescues in the 1980s did not involve TBTF firms. The US government, through the 
offices of FRB Chairman Greenspan, orchestrated the private funding of the orderly liquidation of 
the hedge fund Long Term Capital Management, perceived as TBTF, in 1998 to limit systemic risk 
in the financial markets. 

25 11 USC § 109(b), (d). BHC corporate parents are so eligible. 

26 The Bankruptcy Code expressly sets forth the priority scheme for claimholders. Secured credi- 
tors come first in priority, followed by unsecured creditors, subordinated debt, preferred shareholders, 
and common stockholders. 11 USC § 507 — Priorities. 
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financing costs as investors, assuming government protection, will buy TBTF 
bank debt at a discount. The discount and expectation of bailouts further incen- 
tivizes banks to take on riskier activities to retain their TBTF status. Smaller 
banks must compete and follow suit, further worsening the negative impact of 
TBTF in the financial system.” Another negative feature of TBTF bailouts is 
inefficient allocation of resources, a result that the adversarial, privately negoti- 
ated bankruptcy process is better equipped to avoid. There is, however, evidence 
of a narrowing cost-of-funding advantage following the Dodd-Frank reforms, 
indicating some success in solving the TBTF problem.’ 


6.2.2.4 GFC’s contribution to the TBTF debate 

The GFC greatly roiled the controversy involving TBTF and its contribution to 
systemic risk. The government’s vast expansion of the federal safety net in the 
GFC significantly increased moral hazard in the financial system. The bailouts 
further incentivized financial institutions to become ever larger and increase lev- 
erage in order to fall under the government’s protective umbrella. 


6.2.3 Shadow banking and bank runs 


The GFC was a banking crisis and bank run, using these terms in a broad sense. 
The run in the GFC was on non-bank financial institutions, or ‘shadow banks’, 
that, like commercial banks, use short-term debt financing to fund long-term, 
illiquid assets but fall outside FDIC insurance protection and prudential regu- 
latory restrictions. In lieu of FDIC-insured deposits shadow banks offer liquid 
securities as collateral or operate on an unsecured basis in exchange for short- 
term funding. On the eve of the GFC, wholesale non-deposit taking shadow 
banks comprised the majority of short-term financing as shadow banks increas- 
ingly assumed the liquidity transformation role.” 


6.2.3.1 Economic equivalence of shadow bank and commercial bank runs 

In both bank and non-bank financial sectors, liquidity transformation is a fragile 
business model. A bank or shadow bank faces, respectively, the risk of short- 
term creditors withdrawing deposits or ceasing to renew, or roll over, collateral- 
ized short-term debt financing. Runs occur due to uncertainty among investors 
about the composition and quality of both of these types of financial institutions’ 
long-term assets. To meet these cash withdrawals, these institutions are forced to 


27 Gara Afonso, João Santos, and James Traina, ‘Do “too-big-to-fail” banks take on more risk?’ 
(December 2014) FRBNY Economic Policy Review 41-42. The authors find evidence of higher levels 
of impaired loans following an increase in government support. 

28 Martin Baily, Douglas Elliott, and Phillip Swagel, ‘The big bank theory: breaking down the 
breakup arguments’ (31 October 2014), Brookings Institution, Economic Policy Program 6. Darrell 
Duffie has found evidence that lenders, by and large, believe the government will cause them to suffer 
a loss in the failure of a financial conglomerate. Darrell Duffie, ‘Prone to fail: the pre-crisis financial 
system’ (8 December 2018), Journal of Financial Perspectives [forthcoming] 33-34. 

29 Gary Gorton, ‘Slapped in the face by the invisible hand: banking and the panic of 2007’ (9 
May 2009) NBER 3 [Slapped in the face]. 
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liquidate these assets in ‘fire sales’, driving down prices in these asset classes. At 
the extreme, a banking panic occurs. In a panic these firms are insolvent because 
they have insufficient capital to meet short-term creditors’ demands for their 
assets.” Cash withdrawal en masse results in the insolvency of the financial sys- 
tem and a freezing of the credit markets, which occurred following the Lehman 
bankruptcy. 

Shadow banking arose in part because large creditor institutions have liquidity 
demands far in excess of the FDIC deposit account threshold.*' Insured demand 
deposits are of no use to large firms, other commercial banks, hedge funds, and 
corporate treasuries that need to deposit large amounts of money in interest bear- 
ing accounts for a short period of time. Instead, these creditors ‘deposit’ their 
funds in the repo and asset-backed commercial paper (ABCP) markets? backed 
by high-quality collateral consisting of Treasury securities and securitization 
bonds. The collateral is valued at market prices. Uninsured money market funds 
and the interbank funding market, in which banks lend reserves on an overnight 
basis, are also a part of the shadow-banking system. 


6.2.4 Regulatory responses to risks revealed in GFC’’s three phases 


In assessing the wide range of regulatory responses to the GFC, it is useful 
to identify three distinct phases: the periods before, during, and following the 
liquidity and credit crisis that began in summer 2007. Each phase presents a 
distinct set of risks that policymakers addressed in the Basel III and Dodd-Frank 
macro-prudential framework. The first phase (Phase I) involved deficient risk 
management decisions that contributed to the liquidity and credit crisis, par- 
ticularly the decision to retain long-term MBS-related assets financed by short- 
term credit. The second phase (Phase II), from August 2007 to 2009, marked 
the critical stage of the GFC with the collapse of credit intermediation and runs 
on shadow banks. The third phase (Phase II) was the Great Recession, which 
officially extended from December 2007 into 2009 but its negative repercussions 
extended several years following the crisis. A brief summary of these regulatory 
responses follows the discussion of each phase. 


6.2.5 Phase I: corporate governance and risk management failures reflected in 
banks’ capital structure 


The severity of the crisis in the fall of 2008 that required rescues of a broad 
array of financial conglomerates can be attributed largely to financial institutions’ 


30 Slapped in the face 3. 

31 Shadow banking also includes bank deposit accounts with holdings exceeding the FDIC max- 
imum account threshold of $250,000. These accounts are uninsured and unsecured. 

32 In the ABCP market, financial institutions sponsor that fund MBS and other asset-backed 
securities by issuing ABCP, with an average maturity of 90 days, and medium-term notes, secured 
by these assets. Prior to the GFC, both were sold primarily to money market funds. The market had 
viewed ABCP as equivalent to insured deposits. 
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excessively risky capital structure.” Firms’ system of corporate governance had 
failed to keep up with changes in the complex, opaque, and globally integrated 
financial system.” Many banks entered the crisis with substantial exposure to 
long-term subprime assets financed with highly runnable short-term whole- 
sale debt. Heated competition ensured that firms across the financial landscape 
shared these two weaknesses in their capital structure. The composition of these 
firms’ balance sheet provided much of the fuel that was ignited in the liquidity 
and credit crisis,” leading to emergency interventions by the Federal Reserve 
and Treasury Department to rescue failing financial conglomerates. Faulty 
board decision making that downgraded the risk management and compliance 
functions and poorly constructed or absent internal controls (ICs) were critical 
elements in creating the combustible mix of assets and liabilities. 


6.2.5.1 Siloed risk management 

Many of the large firms had a siloed** approach to corporate governance prior to 
GFC. In many cases, these firms were an amalgamation of different cultures and 
businesses resulting from a series of mergers and acquisitions (M&A) that left a tan- 
gle of cultural conflicts and conflicting IT systems. This fragmentation poses a signif- 
icant challenge to BHC boards, which need to have relevant information on existing 
and emerging risks in business units across their firm before acting upon it. In a 2007 
survey of banks, only 10% of firms had adopted a holistic approach to risk man- 
agement.’ Post-crisis guidance seeks to correct this deficiency by emphasizing an 
enterprise-wide, integrated approach to risk and, in certain areas, compliance. Basel 
239 guidance seeks to remedy the poor risk data aggregation and information flow.’ 


6.2.5.2 Challenges in identifying, communicating, and acting on tail risk 
Tail risk, the central risk management issue in the GFC, is a significant challenge 
for financial conglomerates to incorporate effectively into their business strategy 


33 See Anil Kashyap, Raghuram Rajan, and Jeremy Stein, ‘Rethinking Capital Regulation’ 
(2008) 2008 Economic Symposium, ‘Maintaining Stability in a Changing Financial System’, Fed- 
eral Reserve Bank of Kansas City 1-2 [Rethinking Capital Regulation]. As the authors put it, ‘the 
proximate cause of the credit crisis (as distinct from the housing crisis) was the interplay between 
two choices made by banks’ — significant exposure to MBS subprime-related assets financed by short- 
term debt (emphasis added). Ibid. 1. 

34 Ben Bernanke, ‘The real effects of disrupted credit: evidence from the global financial crisis’ 
(13 September 2018), Brookings Papers on Economic Activity, Brookings Institution 1 [Real effects 
of disrupted credit]. 

35 Rethinking Capital Regulation 1. The financial system’s reliance on short-term funding of 
long-term assets with potentially low market liquidity has been the main source of instability in this 
and previous financial crises. Brunnermeier, Fundamental Principles 40. Northern Rock and other 
casualties in the GFC might well have survived with the same assets if their funding’s average matu- 
rity had been longer. Ibid. xii. 

36 Silos are business lines, legal entities, or geographical units operated in isolation from one 
another, with limited information shared across the firm and, in some cases, competition between 
silos. Basel Committee on Banking Supervision, “Corporate governance principles for banks’ (8 
July 2015) 30. 

37 Stephen Bainbridge, ‘Caremark and enterprise risk management’ (March 2009), 34 Journal of 
Corporation Law 967, 971 [Bainbridge, ERM]. 

38 See § 6.3.5. 
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and risk management and compliance processes. Many finance industry senior 
executives defensively opined that they could not be held responsible for not 
preparing for an event of the magnitude of the GFC. This defense rings hollow. 
Certain other conglomerates took effective action in the face of ominous signs 
without being able to precisely forecast the depth and severity of the oncoming 
crisis.” 

For risk management, the challenge in assessing severe, highly improbable 
events is due to the fact that the outcomes associated with such risks are not 
normally distributed but tend to have fat tails. Identifying and communicat- 
ing to senior management the potential of extreme events requires quantifying 
the probability and magnitude of severe losses. In such instances, uncertainty in 
generating such a distribution poses a severe identification and communication 
challenge.“ 

A risk management function that has an independent, autonomous, and cred- 
ible status in a firm with unalloyed access to the board can limit tail exposure 
preceding and during a market crisis. However, the pre-crisis risk management 
function by and large lacked these attributes. In the pre-crisis corporate environ- 
ment, communicating extreme risks to senior business executives was highly 
problematic. Moreover, this challenge was made even more daunting by compen- 
sation schemes with hidden, embedded tail risks** or by managers who assessed 
risks based on historical data and thus did not account for low-probability events 
that later turned out to be highly material. Finally, at the apex of the corporate 
governance system, board directors need to have the necessary competence to 
understand the significance of extreme, improbable events so that they can appro- 
priately weigh them in formulating business strategy within the firm’s risk appe- 
tite. Many boards of financial conglomerates prior to the GFC did not have this 
level of competence. 


6.2.5.3 Principal-agent conflict as a contributing cause to risk management 
failure 

The deeper problem underlying this poor business judgment is the principal-agent 

conflict that is endemic in financial institutions.“ Establishing effective incen- 

tive compensation schemes and strong ICs has been a perennial conundrum 

in large financial conglomerates in which the principal-agent conflict plays an 


39 See § 6.2.5.5, which summarizes the Senior Supervisors Group’s 2008 report on poorly and 
better performing firms. 

40 Bainbridge, ERM 971 (citing Linda Allen, Jacob Boudoukh, and Anthony Saunders, Under- 
standing Market, Credit, and Operational Risk: The Value at Risk Approach (Blackwell: 2004) 25 
[Allen, VaR]). 

41 Bainbridge, ERM 971 (citing Allen, VaR 26). 

42 Andrew Ellul and Vijay Yerramilli, ‘Stronger risk controls, lower risk: evidence from U.S. 
bank holding companies’ (October 2013), 68 Journal of Finance 1757, 1796. 

43 Senior Supervisors Group, ‘Observations on risk management practices during the recent mar- 
ket turbulence’ (6 March 2008) 7, at <www.occ.treas.gov/publications/publications-by-type/other- 
publications-reports/pub-other-risk-mgt-practices-2008.pdf> [SSG, Observations]. See § 6.2.5.2. 

44 See § 3.3.2. Also see § 4.2.2.1 regarding the incentive to optimize return on equity by limiting 
equity financing and incurring debt in its stead. 
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outsized role.* This conflict also was a reason risk management lacked resources, 
authority, and independence throughout the finance industry, deficiencies that the 
FRB has sought to remedy in its post-crisis macro-prudential guidance. 

Compensation schemes incentivized both the senior and lower executive ranks 
to generate high returns with little downside risk. Their focus was on the asset 
side of the balance sheet. Boards of directors and senior management, facing 
increasingly heated competition in generating high earnings, decided to enter 
subprime MBS origination and securitization, in some cases just as the market 
was reaching its peak. CEOs would be punished by the stock market, and their 
compensation docked, if they did not actively seek market share in subprime 
assets. Compensated by short-term windows of equity performance, executives 
viewed high-yielding subprime asset exposure as a sure bet in generating high 
return on equity. In sum, excessive risk-taking can occur as competition erodes 
banks’ franchise value.* In an effort to reduce the agency costs revealed by the 
crisis, post-crisis regulation and supervision has focused on correcting compen- 
sation schemes for senior executives. 

Lower in the management ranks, pay-for-performance compensation incen- 
tivized traders to game internal performance metrics that measured risk-adjusted 
returns. Poorly designed risk controls did not require economic capital charges 
commensurate with the risk assumed by trading desks.“ Quite simply, traders 
had incentives to assume hidden tail risks and were able to do so.** Firms use VaR” 
to compare traders across business lines and compensate them for their profits in 
relation to the risks they assume. A trader that apparently assumes less risk for a 
given amount of capital than other traders will be more highly compensated and 
granted higher position limits. Though well intentioned, the system led to per- 
versely distorted incentives as traders sought out exposure that was not reflected 
in the horizon window on which VaR is based,® thus generating ‘fake alpha’. In 
sum, VaR was not measuring risk properly. Firms invested in fat tail risk without 
fully realizing it.*! 

Post-crisis agency guidance is aimed at rectifying this principle-agent problem 
in the lower echelon through enhanced ICs and independent risk management 


45 Rethinking Capital Regulation 2. 

46 Systemic Risk and Macroprudential Regulation 329. 

47 An example was UBS’s practice of not charging capital corresponding to risks relating to 
CDOs and other investments with long tail risk. ‘[E]mployee incentivisation arrangements did not 
differentiate between return generated by skill in creating additional returns versus returns made 
from exploiting UBS’s comparatively low cost of funding in what were essentially carry trades.... 
[T]he relatively high yield attributable to Subprime made this asset class an attractive long position 
for carry trades.’ UBS AG, ‘Shareholder report on UBS’s write-downs’ (18 April 2008) 42, at <http:// 
maths-fi.com/ubs-shareholder-report.pdf>. 

48 Rethinking Capital Regulation 9. Traders could count on their income spread exceeding the 
low hurdle rate that contributed to bonuses. Ibid. 

49 § 3.7.2.3 discusses VaR in greater detail. 

50 The data made the standard deviation component of the VaR artificially low. 

51 Till Guldimann, ‘The creator of VaR explains how large banks measure the risk of their own 
portfolios’ (25 June 2018) Odd Lots, podcast with Joe Wiesenthal and Tracy Alloway, at <https:// 
podcasts.apple.com/us/podcast/creator-var-explains-how-large-banks-measure-risk-their/id 1056200 
0967i1=1000414564268>. 
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and compliance functions that enjoy a high level of credibility and authority in 
their organizations, in addition to compensation schemes that better align busi- 
ness strategy with longer-term, prudent risk-taking. 


6.2.5.4 Risky capital structure 

On the asset side, when the credit crisis gained steam in late summer 2007, 
many financial conglomerates had substantial holdings of subprime MBS-related 
assets. This strategy was contrary to the stated rationale of securitization, much 
lauded by regulators adhering to the market-based ethos, to off-load and spread 
risk into the capital markets.” When housing prices and then MBS valuations 
began to decline, firms had to write-down their assets by hundreds of billions of 
dollars.** Through August 2008, UBS had written down $43 billion; Citigroup, 
$56 billion; and Merrill Lynch, $45 billion.** The enormous impairment charges 
against a small amount of capital in turn created the ground for investor concern 
and the subsequent credit and liquidity crisis of Phase II. On the liability side, the 
financial conglomerates financed these long-term illiquid assets with short-term, 
low-cost debt. They sourced most of this debt with wholesale funding from the 
uninsured shadow-banking sector. Unlike deposits, the favored funding source 
of smaller banks, wholesale funding is more ‘runnable, prone to evaporate in a 
crisis’.*° 


6.2.5.5 Senior Supervisors Group’s assessment of risk management practices 
The Senior Supervisors Group (SSG), whose members are financial market 
supervisors from several countries, surveyed 11 global financial conglomer- 
ates” early in the crisis. Firms began reporting material write-downs with losses 
concentrated in US subprime mortgage-related credits, particularly in business 
lines in warehousing, structuring, and trading of subprime-backed CDOs. 

The SSG divided the firms into better and more poorly performing institu- 
tions. The better performing firms typically shared information effectively across 
business lines, had rigorous internal processes requiring critical business judg- 
ment in asset valuation, applied consistent valuations across the firm, did not rely 
exclusively on credit rating agencies (CRAs) but did independent credit analysis, 
aligned treasury functions closely with risk management practices, charged busi- 
ness lines for contingent liquidity exposures, and relied on a wide range of risk 


52 Figure 1.1 at § 1.1.3.1 illustrates the securitization process. 

53 Banks, including sophisticated investment banks, were some of the most active buyers of 
structured products. Markus Brunnermeier, ‘Deciphering the liquidity and credit crunch 2007—2008’ 
(Winter 2009), 23 Journal of Economic Perspectives 77, 80 [Deciphering the liquidity crunch]. 

54 Julia Werdigier, ‘After $43 billion in write-downs, UBS to split main businesses’, New York 
Times (12 August 2008). 

55 Jeremy Kress, ‘Solving banking’s “too big to manage” problem’ (7 March 2019), [forthcoming 
104 Minnesota Law Review 2019], 17—18, at <https://ssrn.com/abstract=3348593>. 

56 Representatives included banking and securities regulators from France, Germany, Switzer- 
land, UK, and the US, represented by the FRB, FRBNY, SEC, and OCC. The SSG shares information 
on risk management, governance, and other issues involving financial conglomerates. 

57 SSG, Observations. 


170 


MACRO-PRUDENTIAL REGULATION OF SYSTEMIC RISK 


measures to gain different perspectives on risk.” The more poorly performing 
firms were deficient in some or many of these areas. Table 6.1 summarizes the 
SSG’s findings concerning risk management practices of the two groups in four 
areas. 


6.2.5.6 Regulatory response relating to risks revealed in Phase I 

Regulators, pursuant to Basel III/Dodd-Frank as well as under their discretionary 
authority, adopted a number of enhanced prudential approaches to address the 
deficiencies in risk management exhibited in Phase I in the run up to the GFC. 
These measures included increasingly enhanced expectations regarding corpo- 
rate governance, risk management, and compliance specifically relating to the 
roles of the board of directors, senior management, and line management, and 
structural mandates such as board-level risk committees (Chapter 6). The FRB 
instituted Pillar II supervisory measures consisting of the LISCC program on 
liquidity management and capital planning and the CCAR and the DFAST stress 
testing programs (Chapter 7). 


6.2.6 Phase II: liquidity and credit crisis 


The financial conglomerates’ poor risk management practices reflected in the 
severe mismatch of assets and liabilities and overdependence on subprime 
MBS-related assets to generate high returns were one of many factors that con- 
tributed to the liquidity and credit crisis of the GFC. Nevertheless, these practices 
share significant blame for the depth and severity of the crisis once it began in 
late summer 2007. 


6.2.6.1 Starting point of liquidity and credit crisis 

Incipient signs of a liquidity problem appeared in February 2007 with an increase 
in subprime mortgage defaults, reflected in the increase in CDS prices for sub- 
prime mortgages.” In June, Bear Stearns bailed out two MBS-related hedge 
funds, and in July, the ABCP market showed refinancing difficulties. As the 
series of events unfolded in 2007, their balance sheets exposed commercial and 
investment banks to a severe maturity mismatch through their off—balance sheet 
liquidity facilities backed by MBS-related assets and increased reliance on repo 
financing.” 


58 David Viniar, Goldman Sachs’ CFO during the GFC, observed that the firm reviewed its P&L 
position under VaR every day to make sure the P&L was consistent with its risk model forecasts. In 
December 2006, its mortgage business lost money ten days in a row. ‘It wasn’t a lot of money, but 
by the 10th day we thought we should sit down and talk about it.” Goldman Sachs reviewed every 
trading position of the firm. They examined VaR and other risk models. They talked about how the 
MBS market ‘felt’. ‘We decided to “get closer to home”’. Joe Nocera, ‘Risk mismanagement’, NYT 
Magazine (2 January 2009). 

59 This was reflected in a decline in the ABX price index, which is based on CDS prices. Deci- 
phering the liquidity crunch 82-83. 

60 Deciphering the liquidity crunch 80. The structured investment vehicles (SIVs) that sold ABCP 
were subject to funding liquidity risk, whereby investors, mainly money market funds, would cease 
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Table 6.1 Risk management practices of better and more poorly performing firms in GFC 


Best-practice 
risk management 
area 


Better performing firms 


Poorly performing firms 


1. Effective ° 
firm- 
wide risk 
identification ° 
and analysis 


2. Consistent ° 
firm-wide 
application of 
independent 
and rigorous 
valuation ° 
practices 


3. Effective ° 
management 
of funding 
liquidity, 
capital, and 
balance sheet « 


4. Informative «+ 
and 
responsive 
risk 
management e. 
reporting and 
practices 


Shared quantitative/qualitative 
information effectively across 
firm 


Thus, able to identify sources of 
significant risk early on, reducing 
exposures and hedging while still 


practical and not prohibitively 
expensive 


Rigorous internal processes 
requiring critical judgment 
and discipline in valuations of 
complex or potentially illiquid 
assets 

Skeptical of CRAs’ assessment 
of complex structured credit; 
developed inhouse expertise to 


conduct independent assessments 


Once deciding on valuation, 


sought consistent use across firm 


Aligned treasury functions 
closely with risk management 
practices, incorporating 
information from all business 


lines in global liquidity planning 
Incentivized control over balance 


sheet growth by charging 
business lines for contingent 
liquidity exposures, reflecting 
liquidity cost in challenging 
market conditions 


Management information 
systems assessed risk positions 
with variety of tools and with 
several underlying assumptions 


Management had more adaptive 


(not static) risk management 


processes and systems that could 


rapidly alter assumptions to 


reflect current market conditions 


Relied on wide range of risk 
measures to gather more 
information and different 
perspectives on same exposures 


Many able to integrate measures 
of market risk and counterparty 


risk positions across businesses 


Business line and senior 
managers did not discuss 
firm’s risks in light of 
evolving market conditions 
Left business lines to act in 
isolation regarding business 
growth and hedging, in some 
cases increasing rather than 
mitigating risk exposure 
Continued to price super- 
senior CDO tranches at 

or close to par despite 
observable deterioration in 
performance of underlying 
RMBS collateral and 
declining market liquidity 
Management did not exercise 
sufficient discipline over 
valuation process 

Relied sometimes too 
passively on credit risk from 
CRAs 

Weaker controls over balance 
sheet growth 

Treasury functions not closely 
aligned with risk management 
processes 

Lacked complete access 

to information across all 
business lines 

Did not properly consider risk 
of certain exposures or price 
appropriately for balance 
sheet use 

More dependent on specific 
risk measures using outdated 
or inflexible assumptions 
Lost sight of how risk was 
evolving or could change in 
the future 

Some could not easily 
integrate market and 
counterparty risk positions 
across businesses, making 

it difficult to identify 
consolidated firm- 

wide sensitivities and 
concentrations 


Source: Senior Supervisors Group, ‘Observations on Risk Management Practices During the Recent 
Market Turbulence’ (6 March 2008). 
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Most commentators mark 9 August 2007 as the starting point of the liquidity 
and credit crisis. BNP Paribas halted redemptions in three investment funds 
due to its inability to value their underlying structured investments. Beginning 
August 9, the critical interbank lending market became highly illiquid, with 
rapidly rising LIBOR rates.“ In short order the ECB and Federal Reserve col- 
lectively injected over $100 billion of overnight credit into the interbank lend- 
ing market. ABCP outstanding plunged by hundreds of billions of dollars in 
August and for the remainder of 2007.° In December, for reputational reasons 
Citigroup brought its SIV programs onto its balance sheet to avoid downgrades 
of the programs’ creditworthiness, further eroding its capital.® In the repo mar- 
ket creditors demanded increasing haircuts in a run on that market, leading to 
a downward spiral of asset sales and further declines in the value of the collat- 
eral backing this debt.“ Ultimately lenders ceased to roll over banks’ repo debt 
due to concerns about the value and liquidity of the collateral backing these 
obligations.© 

The crisis spread through contagious sentiment to other repo securitization 
asset classes as creditors began to doubt the value of underlying non-MBS related 
collateral. In December the FRB initiated the first of several unconventional 
liquidity facilities with the creation of the Term Auction Facility that provided 
depository institutions collateral-backed short-term loans. 


6.2.6.2 Escalation of the liquidity and credit crisis: bailouts of TBTF firms 

The first non-bank bailout, of Bear Stearns, occurred in March 2008 when 
hedge funds withdrew short-term funds, causing a severe loss of liquidity. The 
FRB orchestrated a purchase of the company by JPMorgan Chase, with a loan 


buying SIVs’ ABCP that had funded SIVs’ long-term assets. The bank sponsors of SIVs provided a 
liquidity facility to the SIVs that committed the banks to fund SIVs’ long-term assets if necessary, in 
effect, bringing these assets back onto the banks’ balance sheets. 

61 In the interbank market, banks lend to each other at LIBOR on an unsecured basis with matur- 
ities ranging from overnight to three months. 

62 SIV-backed ABCP fell by about $70 billion, or 80%, and new issue maturities shortened con- 
siderably as investors sought to hedge their risk. Daniel Covitz, Nellie Liang, and Gustavo Suarez, 
‘The evolution of a financial crisis: panic in the asset-backed commercial paper market’, Finance and 
Economics Discussion Series, Federal Reserve Board (18 August 2009) 12-13. 

63 Liz Moyer, ‘Citigroup goes it alone to rescue SIVs’, Forbes (13 December 2007). 

64 The percentage of total bank assets financed by overnight repos had increased approximately 
twofold from 2000 to 2007, with a higher portion consisting of overnight funding, thus increasing 
liquidity risk. Brunnermeier, Deciphering the liquidity crunch 80. 

65 Such collateral ceased to be ‘informationally insensitive’, causing investors to reduce their 
exposure. Slapped in the face 4. Insured bank deposits are truly ‘informationally insensitive’, mean- 
ing that depositors and counterparties need not worry about the value of the checks that depositors 
write due to FDIC insurance so that checks function as currency. The AAA-rated MBS and other 
collateral used in shadow banking served as ‘insurance’, making the short-term debt informationally 
insensitive. Ibid. 7—9. 

66 This facility allowed banks to bid for loans anonymously backed by a wide range of collateral, 
including MBS. Deciphering the liquidity crunch 87. In March 2008 the FRB extended liquidity 
assistance to non-banks in launching the Term Securities Lending Facility, permitting investment 
banks to swap agency and other mortgage-related bonds for Treasury bonds, and the Primary Dealer 
Credit Facility, which provided overnight funding to investment banks. Ibid. 88. 
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guarantee of $30 billion of toxic assets. A major concern of the regulators con- 
cerned Bear Stearn’s interconnectedness.®” The crisis reached a crescendo in Sep- 
tember 2008. The US government put the two GSEs, Fannie Mae and Freddie 
Mac, into conservatorship on September 7. Lehman Brothers filed for bankruptcy 
protection on September 15, and on September 16, again due to concerns on 
interconnectedness, the FRB injected $85 billion of equity into AIG. 

The financial markets completely shut down in the weeks following the Leh- 
man bankruptcy. The US Treasury provided an $80 billion guarantee for money 
market funds to avoid a shutdown of their market after a leading fund ‘broke 
the buck’, with its share price falling below $1. The Federal Reserve introduced 
a commercial paper funding facility after non-asset-backed securities (ABS) 
backed commercial paper suffered a dramatic decline in issuance. The stock mar- 
ket lost $8 trillion in market value. The government launched additional facilities 
to buy commercial paper, ABS, and GSE bonds.® 


6.2.6.3 Both types of systemic risk occurred in GFC 

As this narrative makes clear, a combination of the two models of systemic fail- 
ure, a simultaneous shock and interconnectedness, occurred in the financial crisis 
of 2007—09.® The financial conglomerates were connected to one another in an 
opaque network involving thousands of derivatives and short-term debt transac- 
tions. Regulators, unable to decipher firms’ balance sheets, intervened in hastily 
orchestrated bailouts. CCR, the risk of default of a trading counterparty on its 
obligation, paralyzed the debt markets.” Subprime mortgages, at the heart of the 
crisis, were too small in amount to cause a systemic event. This makes contagion 
a necessary element in spreading the panic to the credit markets generally.” 


6.2.6.4 Regulatory response relating to risks revealed in Phase II 

Dodd-Frank addresses potential future liquidity and credit crises through a 
comprehensive and multifaceted approach. The legislation seeks to reduce the 
likelihood of government bailouts of TBTF firms and prevent future bank runs. 
Policymakers’ measures include enhanced expectations for corporate governance 


67 According to testimony by FRB Chair Ben Bernanke, if the government had allowed Bear 
Stearns to fail, it would have led to a ‘chaotic unwinding’ of the bank’s investments held by its coun- 
terparties. ‘Bernanke Defends Bear Stearns Bailout’, CBS News (3 April 2008). 

68 Deciphering the liquidity crunch 90. 

69 There is a continuing debate among academic commentators and policymakers on the pri- 
mary causes of the financial crisis. Hal Scott has made a strong case that contagion, the first model 
described in § 6.2.1.2, was the root cause of the crisis, not interconnectedness. Scott defines contagion 
as run behavior in which fears of widespread financial collapse lead to withdrawal of funding from 
financial institutions. Hal Scott, Connectedness and Contagion: Protecting the Financial System from 
Panics (MIT Press: 2016) 5. 

70 Viral Acharya and Matthew Richardson, ‘Causes of the financial crisis’ (2010), 21 Critical 
Review 209. 

71 Auseful analogy, suggested by Gorton, is an E. coli outbreak. An isolated outbreak in a small 
part of the food supply will lead a large portion of the population to avoid many other types of 
foods. As with E. coli, no investor knew where the risks were, leading to uncertainty concerning 
which counterparties would fail. Gary Gorton and Andrew Metrick, ‘Haircuts’ (November—Decem- 
ber 2010), Federal Reserve Bank of St. Louis Review 507, 511. 
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and the control functions and FSOC as a systemic risk coordinator with SIFI 
designation authority (Chapter 6); liquidity regulation and more loss-absorbent 
capital that more closely reflects a firm’s risk profile (Chapter 7); capital planning 
through CCAR and DFAST stress testing and LISCC capital planning oversight” 
(Chapter 7);? resolution plans, SPOE resolution with BHC capital structure 
requirements, and the OLA rules (Chapter 8). 


6.2.7 Phase III: the Great Recession 


The Great Recession, which officially began in December 2007 and ended in 
June 2009, was the worst economic downturn since the Great Depression. Reces- 
sions that are associated with systemic banking crises impose huge costs on an 
economy.” In the Great Recession, US GDP contracted by more than 4% and it 
took nearly four years for it to regain the prerecession GDP level.” According to 
the International Monetary Fund the recession became global in 2009, the fourth 
and deepest recession since World War II.” The panic in the GFC played a central 
role in the severity of the Great Recession.” According to Ben Bernanke, a lead- 
ing scholar of the Great Depression and FRB chair during the GFC, the collapse 
of the financial system in the early 1930s was a major reason for the persistence 
of the Great Depression.” 

Moreover, the factors most strongly associated with financial panics, the run 
on short-term funding and other forms of contagion such as occurred during the 
crisis in the securitization markets, are the best predictors of poor economic per- 
formance.” A strong link exists between the breakdown of financial intermedia- 
tion and economic downturns: 


Financial instability occurs when problems (or concerns about potential problems) 
within institutions, markets, payments systems, or the financial system in general 
significantly impair the supply of credit intermediation services — so as to substan- 
tially impact the expected path of real economic activity.*° 


72 The CCAR and LISCC programs supplement Dodd-Frank’s systemic risk regulation but were 
not mandated by it. 

73 The GFC was a run on the shadow-banking sector. FSOC’s designation authority is a key tool 
in Dodd-Frank’s multiprong approach to systemic risk. 

74 This Time Is Different 172. Such banking crises are typically an amplification mechanism of 
a previous shock. Ibid. 

75 Diane Schanzenbach and others, ‘Nine facts about the great recession and tools for fighting the 
next downturn’ (May 2016), The Hamilton Project, Brookings Institution 1. 

76 Bob Davis, ‘What’s a global recession?’, Wall Street Journal (22 April 2009). 

77 Ibid. 4. 

78 This Time Is Different 146. 

79 Real effects of disrupted credit 4. 

80 Eric Rosengren, ‘Defining financial stability, and some policy implications of applying the 
definition’ (3 June 2011), Keynote remarks at the Stanford Finance Forum, Graduate School of Busi- 
ness, Stanford University, at <https://www.bostonfed.org/news-and-events/speeches/defining-finan 
cial-stability-and-some-policy-implications-of-applying-the-definition.aspx> (cited in Anil Kashyap, 
Dimitrios Tsomocos, and Alexandros Vardoulakis, ‘Principles for macroprudential regulation’ 
(April 2014), Financial Stability Review No. 18, 173, 174). 
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Exacerbating the effect of downturns associated with financial crises, in a 
recession, as bank asset quality deteriorates and bank capital declines, banks 
seek to preserve liquidity and capital by reducing lending, leading to less invest- 
ment and consumption and further output declines.*' Risk aversion also certainly 
plays a role. Financial crises raise intermediation costs and restrict credit, thereby 
restraining activity in the real sector and resulting ultimately in low growth and 
recession.” 

An important lesson drawn by lawmakers and policymakers from the Great 
Recession was that banks need capital sufficient to continue their vital role in 
credit intermediation. Due to their enormous MBS-related write-downs, banks 
had to replenish their capital before they would be able to lend further. Such 
unprecedented balance sheet impairments later served as precedent for the Fed- 
eral Reserve’s severely adverse scenarios in its stress testing programs. 


6.2.7.1 Regulatory response relating to risks revealed in Phase III 

Dodd-Frank adopts measures involving enhanced expectations for corporate gov- 
ernance (Chapter 6): hard-wired capital ratios, capital planning through CCAR 
and DFAST stress testing, and LISCC capital planning oversight (Chapter 7). All 
these responses are designed to ensure that banks can absorb losses while still 
adequately serving as credit intermediaries. 


6.2.8 Regulators’ lessons from the GFC and their macro-prudential response 


The GFC has had a profound impact on lawmakers, bank regulators, banks’ 
systems of corporate governance, and financial economists and macroecono- 
mists. The great majority of Dodd-Frank’s provisions relate to systemic issues 
involving risk management, capital planning, liquidity management, avoiding 
financial institutions’ disorderly failure, and TBTF more generally in some form 
or fashion.*? They are animated by a desire to avoid future taxpayer-funded 
bailouts. 


6.2.8.1 Pre-GFC focus on safety and soundness of individual banks 

Policymakers realized that prudential regulation had been too preoccupied with 
the safety and soundness of individual banks by seeking to make regulatory cap- 
ital move more closely in accord with banks’ own calculation of economic cap- 
ital.“ In addition, firms’ efforts to remain solvent in a crisis through asset sales, 
reducing loans to good credits, or requiring more collateral ultimately undermines 


81 This Time Is Different 144. 

82 Franklin Allen and Douglas Gale, ‘Financial contagion’ (2000), 108 Journal of Political Econ- 
omy 1, 2. See Ben Bernanke and Mark Gertler, ‘Agency Costs, Net Worth, and Business Fluctuations’ 
(March 1989), 79 American Economic Review 14-31. 

83 This statement is also true of Title X, which created the Consumer Financial Protection Bureau 
(CFPB). Predatory retail lending to millions of borrowers who could not afford their mortgage pay- 
ments was a contributing systemic risk factor in the GFC. 

84 Brunnermeier, Fundamental Principles 6. 
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the financial system’s stability.” Before the GFC, prudential regulation largely 
ignored interconnections between financial institutions resulting in CCR. Another 
example of myopia was regulators’ lack of awareness of systemic risks from the 
rapidly increasing reliance on securitization throughout the financial markets. 


6.2.8.2 Objective of new macro-prudential framework to internalize systemic 
risks 

The new framework of macro-prudential bank regulation reflects regulators’ 
understanding of the key risks revealed in the three phases outlined in this chap- 
ter’? and a deeper understanding of the concepts of systemic risk and TBTF. 
The primary macro-prudential regulatory objective of Basel III/Dodd-Frank is 
to compel financial conglomerates to internalize the negative externalities that 
they impose on the financial system due to failures as both going and gone con- 
cerns. The former involves firms’ excessive balance sheet shrinkage following a 
financial crisis and the latter, potential market instability from their failure and 
taxpayer-funded rescues. Where firms’ practices do not lead them to internalize 
these costs, regulators seek to understand why, and to regulate and supervise 
them accordingly.** 


6.2.8.3 Systemic risk coordinators in the US, UK, EU, and globally 

The GFC brought home the importance of coordinating regulatory responses in 
modern financial crises, which invariably involve both banking and capital mar- 
ket instability, and the critical need for international coordination in light of the 
globally integrated financial system. In the US, the primary financial agency offi- 
cials worked relatively well together in crafting ad hoc solutions in the rapidly 
escalating crisis. Coordination was much less successful in Europe, in both the 
GFC and the subsequent sovereign debt crisis. Authorities in the world’s major 
financial markets realized that such coordination needed to be systematized and 
formalized. 

Dodd-Frank created FSOC to coordinate systemic risk oversight and desig- 
nate certain large financial conglomerates by supermajority vote as ‘systemically 
important financial institutions’ (SIFIs), a defined term in the statute.*? FSOC 
has ten voting members, which include the heads of the major federal financial 
regulators and the Treasury Secretary, acting as chair. FSOC is charged with pro- 
actively detecting, and recommending measures to prevent, potential risks to the 


85 Kenneth French and others, The Squam Lake Report: Fixing the Financial System (Princeton 
University Press: 2010) 135. 

86 Ibid. 136. 

87 Phase I (§ 6.2.5); Phase II (§ 6.2.6); Phase III (§ 6.2.7). 

88 Samuel Hanson, Anil Kashyap, and Jeremy Stein, ‘A macroprudential approach to financial 
regulation’ (Winter 2011), 25 Journal of Economic Perspectives 3, 5. 

89 Dodd-Frank also authorizes FSOC to designate ‘financial market utilities’ (FMUs), such as the 
Chicago Mercantile Exchange, Inc., as SIFIs, of which there are eight. FMUs undertake clearance and 
settlement of cash, securities, and derivatives transactions. Several FMUs are central counterparties 
that clear trades in their specialized markets. 
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stability of the US financial system.” Financial institutions FSOC designates as 
SIFIs are subject to FRB supervision and EPS, Dodd-Frank’s prudential regula- 
tory requirements for financial conglomerates. FSOC’s global counterpart, the 
FSB, monitors and makes recommendations regarding systemic risk globally 
and coordinates national authorities and standard-setting organizations with the 
aim of strengthening and maintaining the stability of the international financial 
markets. 

FSOC is one of the primary mechanisms for regulating TBTF. It is also 
one of the only devices under Dodd-Frank for regulating the shadow-banking 
system. FSOC’s interagency coordinating role is especially important in light 
of the US’s highly fragmented, institutional supervisory structure. However, 
FSOC’s record in regulating non-bank SIFIs is less than stellar. It designated 
four non-bank financial conglomerates as SIFIs, but none of these remains so 
designated.’' BHCs with $250 billion in assets are automatically SIFIs under 
Dodd-Frank. 

Globally, coordination among regulators to mitigate systemic risk is also not 
well institutionalized. In the UK the BoE oversees regulation and supervision 
of systemic risk, but a legally separate body is not charged with this task. The 
BoE’s FPC, with representatives from the BoE, PRA, and FCA, external mem- 
bers, and a Treasury observer, oversees systemic risk issues. In the EU, the Euro- 
pean Systemic Risk Board (ESRB), established in 2010, is responsible for the 
macro-prudential oversight of the EU’s financial system with a view to prevent- 
ing or mitigating systemic risks to financial stability. However, its recommenda- 
tions are non-binding. 


6.2.8.4 Political and organizational challenges involving systemic risk 
oversight 

The experience of FSOC in designating non-bank financial institutions, and sub- 
sequently rescinding, all of the non-bank SIFI designations, and the lack of a 
separate legal entity in the UK, albeit under the BoE’s aegis, responsible for 
systemic risk, and the ESRB’s lack of regulatory authority, underscores the chal- 
lenges facing supra-agency bodies tasked with systemic risk oversight. It is diffi- 
cult to design an effective supervisory structure accountable for macro-prudential 
policy. Several factors may contribute to this, including the lack of experience in 
identifying and measuring systemic risk, specifying goals for macro-prudential 
policy, or understanding the transmission mechanism of systemic risk.” 


90 Dodd-Frank also created the Office of Financial Research to assist FSOC in assessing emerg- 
ing systemic risk. 

91 FSOC designated American International Group, Inc., General Electric Capital Corporation, 
Inc., Prudential Financial, Inc., and MetLife, Inc. as SIFIs. However, a federal district court rescinded 
MetLife’s SIFI designation in March 2016. FSOC rescinded GE’s designation in June 2016, AIG’s in 
September 2017, and Prudential’s in October 2018. 

92 Ed Balls and Anna Stansbury, ‘Twenty years on: is there still a case for Bank of England 
independence?’ (1 May 2017), VOX CEPR Policy Portal. See 6.2.1.2, which discusses the lack of a 
unified concept of systemic risk. 
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6.3 Risk management and compliance expectations for large BHCs 


The GFC is widely viewed as a failure not only of financial regulation but also of 
private-sector risk management and compliance. The BHCs’ fragile capital struc- 
ture, exacerbated by the conglomerates’ complex corporate operations,” played 
a key role in these governance failures. By the time the crisis in Phase II began 
in late summer 2007 it was too late for most financial conglomerates to take 
preventive measures. These firms were unable to resist the competitive market 
dynamics. However, certain firms, such as Goldman Sachs, drew in their horns 
before it was too late, and other firms, such as JPMorgan Chase, had strategically 
decided not to strive for high market share in subprime assets in the first place.” 

In response, Dodd-Frank mandates several risk management and compliance 
requirements for the largest BHCs and FSOC-designated SIFIs and somewhat 
less rigorous requirements for other large BHCs. The implementing rules are in 
Regulation YY.” In a series of regulatory policy letters and releases that supple- 
ment or revise pre-GFC guidance under this regulation, the FRB has spelled out 
its internal governance expectations for financial conglomerates. Collectively, 
the FRB guidance serves as a foundation for the post-crisis regulatory program 
concerning corporate governance. More generally, policymakers seek to estab- 
lish a forward-looking set of regulatory expectations. Rather than correcting 
specific risk management failures of the past, the agencies have formulated a 
broader corporate governance reform designed to enhance conglomerates’ ability 
to detect, and take effective measures to reduce, exposure to new, yet unidentifi- 
able, emerging systemic risks. 

A key theme that runs throughout this guidance is the crucial necessity for 
large BHCs to ensure that business strategies do not exceed the capability of 
business line management and of the risk management function to effectively 
contain and control the risks arising from each business line charged with execut- 
ing its strategy. Risk tolerance must reflect the capacity of the risk management 
infrastructure. 

Most recently, the FRB issued two sets of proposed guidance which this sec- 
tion discusses in detail, one on boards of directors in 2017 and the other on busi- 
ness management and the control functions in 2018. This guidance is based on 
a comprehensive review of large BHCs’ corporate governance practices. The 
guidance sets forth highly explicit regulatory expectations for these components 
of BHCs’ corporate governance. This guidance is part of the FRB’s broader initi- 
ative to develop a supervisory rating system for LFIs.”° 


93 See § 1.3.3. 

94 JPMorgan generally ceased its subprime mortgage origination in fall 2006. From July 2007 
through the second quarter of 2008, JPMorgan incurred only $5 billion in losses on high-risk CDOs 
and leveraged loans, compared with $33 billion at Citigroup and $26 billion at Merrill Lynch. Shawn 
Tully, ‘How J.P. Morgan steered clear of the credit crunch’, Fortune (2 September 2008). 

95 12 CFR Part 252. 

96 Large Financial Institution Rating System; Regulations K and LL, 82 Federal Register 39049 
(17 August 2017). The LFI initiative would apply generally to depository institutions with $50 billion 
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6.3.1 FRB guidance on large BHCs’ board effectiveness 


The FRB published proposed guidance in August 2017 on the effectiveness 
of boards of directors of BHCs and savings and loan holding companies with 
total consolidated assets of at least $50 billion, a threshold likely to increase to 
$250 billion, and non-bank designated SIFIs.°” 

The FRB views an effective board of directors as central to maintaining the 
safety and soundness and continued resiliency” of a firm’s consolidated operations. 
The key thrust of the guidance is to distinguish between the roles of a board and of 
senior management by focusing on boards’ ‘core responsibilities’ as a key means 
of enhancing financial stability. The FRB listed five core responsibilities of a board: 


(1) Set clear, aligned, and consistent direction for the firm’s strategy and 
types and levels of risk, or ‘risk tolerance’. 

(2) Actively manage information flow and board discussions. 

(3) Hold senior management accountable. 

(4) Support the independence and stature of risk management, compliance, 
and internal audit. 


(5) Maintain a capable board composition and governance structure.'”° 


The practical objective of the guidance is to ensure that boards maintain their 
oversight role by not becoming enmeshed in the chore of implementing their own 
approved strategy and risk management directives. This implementation is the 
function of senior management. '®! 


6.3.1.1 Business strategy clearly aligned with risk tolerance 
The primary focus of and priority in the 2017 guidance on effective boards is to 
ensure that a board’s business strategy and risk tolerance are ‘clear and aligned’ 


or more in total consolidated assets, a figure likely to be raised to $250 billion to harmonize with the 
2018 amendment to Dodd-Frank. 

97 Proposed Guidance on Supervisory Expectation for Boards of Directors, 82 Federal Register 
37219 (9 August 2017) [FR, Board of Directors Guidance]. In finalizing the guidance, the FRB will 
likely modify the $50 billion threshold, since Congress in June 2018 enacted amendments to Dodd- 
Frank’s EPS regulation from $50 billion to $250 billion in consolidated total assets but granted dis- 
cretion to the FRB in regulating BHCs with total consolidated assets of at least $100 billion. 

98 The guidance defines ‘resiliency’ as maintaining effective governance and controls, including 
effective capital and liquidity governance and planning processes and sufficient capital and liquidity, 
to provide for the firm’s continuity, and promote compliance with laws and regulations, including 
those related to consumer protection, through a range of conditions. Ibid 37224. 

99 This book considers ‘risk tolerance’ and ‘risk appetite’ to have an equivalent meaning. 

100 FR, Board of Directors Guidance 37220. 

101 A leading legal practitioner in corporate governance has stressed the same dividing line 
between the board and senior management. According to Martin Lipton, boards cannot be involved 
in day-to-day management. Instead, through their oversight role, directors should satisfy themselves 
that senior executives and risk managers have designed and implemented risk management P&Ps 
that are consistent with the firm’s strategy and risk appetite. The board should be aware of the type 
and magnitude of the company’s principal risks and ensure that the CEO and the senior executives 
are fully engaged in risk management. Martin Lipton, ‘Risk Management and the Board of Directors’ 
(20 March 2018), Harvard Law School Forum on Corporate Governance and Financial Regulation, 
at <https://corpgov.law.harvard.edu/2018/03/20/risk-management-and-the-board-of-directors-5/>. 
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with one another and that business strategy includes a long-term perspective on 
risks and rewards consistent with the capacity of a firm’s risk management frame- 
work. Put another way, a firm’s business initiatives should not outrun its capac- 
ities to manage the risks created by these firms. For example, if a firm expands 
into a new line of business the board should consider the increased level of risk 
and the need to enhance control requirements to ensure that the risk management 
infrastructure can adequately incorporate the new business line. 

The board should ensure that its risk tolerance is sufficiently detailed so that 
senior management can identify strategic objectives, create effective management 
structures, implement plans and budgets for each business line, and establish effec- 
tive control functions. When clearly stated, risk tolerance will enable the CRO to 
set firm-wide risk limits, in the aggregate (by concentration and risk type) and on 
a granular basis. P&Ps that formalize these processes would promote alignment of 
business strategy with risk management. A firm’s business strategy and risk toler- 
ance are aligned when they are ‘consistent, developed, considered, and approved 
together’. A board should approve ‘significant policies, plans, and programs’ ,' 
such as liquidity risk management, if consistent with business strategy, risk toler- 
ance, and risk management. To this end, significant policies, plans, and programs 
should contain sufficient clarity and allocation of responsibilities to allow a board 
to oversee senior management’s implementation. 


6.3.1.2 Information flow 

The FRB found in its review that boards are overwhelmed by the quantity and 
complexity of the information they receive. Its guidance seeks to remedy this 
weakness. '® A board actively manages information flow and deliberations so that 
it can make sound, well-informed decisions. The guidance states that effective 
boards direct senior management to provide timely and accurate information 
with an appropriate level of detail and context. Directors should take an active 
role in setting board meeting agendas so that content, organizations, and time 
allocation allows the board to discuss strategy trade-offs. If needed, directors 
can seek information outside routine board meetings. The BCBS 239 guidance 
on risk data aggregation and risk reporting dovetails with the FRB guidance on 
information flow. ° 


6.3.1.3 Accountability of senior management 
The FRB guidance identifies several attributes of effective boards vis-à-vis sen- 
ior management. Broadly, boards should hold senior management accountable 


102 ‘Significant policies, plans, and programs’, in effect a defined term, consist of a capital plan, 
recovery and resolution plans, an audit plan, enterprise-wide risk management policies, liquidity 
risk management policies, compliance risk management programs, and incentive compensation and 
performance management programs. FR, Board of Directors Guidance 37225. 

103 In separate, related guidance, the FRB also revised its policy to provide MRIAs and MRAs 
to senior management rather than to directors in the first instance. See § 2.7.1.1 for a discussion of 
MRIAs and MRAs. 

104 § 6.3.5.1. 
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for implementing strategy and risk tolerance and maintaining a sound control 
framework. The guidance specifies a number of actions and activities by a board 
that can promote these objectives. 

First, boards should evaluate senior management’s performance and compen- 
sation. Second, boards must ‘actively engage’ with senior management. This 
entails ensuring sufficient time to hold frank discussions and debate on manage- 
ment presentations, encouraging diverse points of view, and considering how 
senior management’s assessments and recommendations support board-approved 
strategies and risk tolerance. Third, effective boards translate robust and active 
inquiry into drivers, indicators, and trends related to current and emerging 
risks." Fourth, boards should inquire into senior management’s adherence to 
board strategy and risk tolerance, material and persistent deficiencies in the con- 
trol functions, compensation programs that encourage ‘prudent’ risk-taking, and 
practices that emphasize regulatory compliance. Fifth, an effective board sets 
clear financial and non-financial performance objectives for the CEO, CRO, 
CAE, and other senior management that are aligned with the approved strategy 
and risk tolerance.” 


6.3.1.4 Support of independence and stature of control functions 
Effective boards support the independence and stature of the control functions 
through active engagement on their audit and risk committees. They promote this 
goal by inquiring into material or persistent breaches of risk appetite and risk lim- 
its, timely remediation, and the appropriateness of the annual internal audit plan. 
The FRB guidance indicates several ways in which boards can support such 
independence and stature. Boards should communicate directly with the CRO on 
material risk management issues; review its risk budget, staffing, and systems; 
give it direct, unrestricted access to the risk committee; ensure its inclusion on 
senior management committees; and ensure that risk tolerance and strategy align 
with risk management capacity after considering the risk management frame- 
work in relation to the firm’s risk profile, size, and complexity. The FRB gives 
similar guidance with respect to internal audit." 


6.3.1.5 Maintain capable board composition and governance structure 

Boards should have a composition, governance structure, and set of practices 
relative to the firm’s size, complexity, operations, and risk profile that ensure it 
can govern the firm effectively. To this end, the composition of the board should 
have the appropriate diversity of skills, knowledge, experience, and perspectives 
that enable it to perform its oversight role. ° 


105 Independent directors should be empowered to serve as a check on senior management. As 
examples the FRB points to a lead independent director with authority to set board meeting agendas 
or call meetings without the CEO and board chair. 

106 FR, Board of Directors Guidance 37225. 

107 Ibid. 37225-37226. See § 3.7.1, which describes the key elements in a risk management 
framework. 

108 FR, Board of Directors Guidance 37226. 
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6.3.2 FRB guidance on senior and business line management of large BHCs 


The FRB issued proposed guidance in January 2018'” on a board’s role and 
responsibilities vis-a-vis senior management and the control functions that dove- 
tails with its 2017 guidance on board effectiveness. The 2018 guidance presents 
its expectations for both senior management"! and line management!!! and for 
the risk management and internal audit functions. 


6.3.2.1 Senior management 

Senior management has responsibility for managing the firm’s day-to-day oper- 
ations, ensuring safety and soundness, and compliance with regulations and 
internal P&Ps. Key responsibilities include overseeing the activities of the firm’s 
business lines''? and the firm’s independent risk management (IRM) function 
and system of ICs. Senior management is responsible for implementing the 
board-approved business strategy and risk tolerance. In this connection, it should 
maintain and implement an effective risk management framework and ensure 
that the firm appropriately manages risk consistent with its strategy and risk tol- 
erance. Senior management also ensures a smooth firm-wide flow of information. 
In these day-to-day roles, it should base its decisions on a full understanding of 
the firm’s risks and activities.'" 


6.3.2.2 Business line management 

The FRB’s expectations for business line management’s risk management respon- 
sibilities and business decision making are to operationalize senior management’s 
directives. Line managers set business and risk objectives for each business line 
in alignment with firm-wide strategy and risk tolerance. Line managers need 
to manage information flow upward effectively by explaining how they man- 
age risks consistently with the firm’s risk tolerance so that senior managers can 
act effectively regarding business strategy and risks. In addition, line manag- 
ers should identify and manage risks stemming from business line activities and 


109 Proposed Supervisory Guidance, 83 Federal Register 1351 (11 January 2018) [FR, Proposed 
Guidance on Business Management and Control Functions]. The guidance applies to domestic BHCs 
with at least $50 billion of total consolidated assets, the combined US operations of FBOs with 
combined US assets of at least $50 billion, and SIFI-designated non-banking firms. It also applies to 
savings and loans at the same threshold. FBOs are required to create intermediate BHCs and US risk 
committees in order to fulfill the FRB’s corporate governance requirements. 

10 These individuals are defined as the core group of individuals directly accountable to the 
board of directors for the sound and prudent daily management of the firm. Ibid. 1353. 

11 These individuals are defined as the core group of individuals responsible for the prudent 
day-to-day management of the business line and who report directly to senior management. Ibid. 
1353-1354. 

12 A ‘business line’ is a defined unit or function of a financial institution, including associated 
operations and support, that provides related products or services to meet firm’s business needs and 
of its customers, such as corporate treasury. 

13 FR, Proposed Guidance on Business Management and Control Functions 1371. These 
include staying on top of key risk drivers and trends and material limit breaches; assessing the impact 
of the firm’s activities and risk positions on the firm’s capital, liquidity, and overall risk profile; and 
maintaining robust MIS. Ibid. 
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changes in external conditions. Managers should understand how risks of their 
individual business lines affect their business line in the aggregate." 

The FRB emphasizes the importance of clearly delineated roles and respon- 
sibilities to ensure that the business units act within the approved risk tolerance 
and within risk limits established by the IRM. Internal controls should demarcate 
the respective roles relating to business strategy and risk management. P&Ps 
should clearly define management’s authority and align behavior with perfor- 
mance incentives. In addition, managers should ensure that their business lines 
ensure accountability for operating within internal policies and guidelines and 
regulations." 

Consultation with senior managers on limit exceptions should result in well- 
informed decisions on whether to accept or reduce risk exposure. Line managers 
also are responsible for testing controls to ensure that they are managing risks 
effectively and for remedying deficiencies. As the first line of defense, line man- 
agers are responsible for ensuring that controls prevent, detect, and remediate 
risk management and compliance failures. ''® 


6.3.3 FRB guidance on risk management and other control functions 


The FRB devotes considerable space to the ‘IRM’ function," illustrating its 
increasingly high regulatory expectations regarding risk management. The FRB’s 
proposed guidance builds on Regulation YY, which mandates risk management’s 
independence and appointment of CROs. Even in the context of other recent 
guidance, IRM guidance is quite prescriptive" compared to that for other cor- 
porate governance roles. Chapter 3 provides a basic understanding of corporate 
governance and the principles and elements of risk management that is useful in 
understanding this FRB guidance. This section also covers the compliance risk 
function, the CRO, the CAE, and ICs, all of which support or otherwise promote 
the IRM function. 


6.3.3.1 Overall objective of the IRM 

The overall objective of IRM is to provide an objective, critical assessment of 
risks and ensure that a firm’s business strategies remain aligned with its stated 
risk tolerance.''? The FRB guidance covers three areas of IRM’s remit: risk tol- 
erance and limits; risk identification, measurement, and assessment; and risk 
reporting. 


114 Ibid. 1358. 

115 Ibid. 1359. 

116 Ibid. 1358. 

117 The FRB’s defined term for risk management is ‘independent risk management’. This book 
uses the term risk management while discussing the attributes that contribute to its independence. It 
assumes this defined term does not alter the FRB’s overall substantive guidance on this topic. 

118 Nevertheless, the FRB states that except for CRO and CAE roles, the guidance does not 
“purport to prescribe in detail the governance structure for a firm’s IRM and controls’. FR, Proposed 
Guidance on Business Management and Control Functions 1359. 

119 Ibid. 
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6.3.3.2 IRM: risk tolerance and limits”? 

IRM should evaluate whether the firm’s risk tolerance appropriately captures the 
firm’s material risks and confirm that the risk tolerance is consistent with the 
capacity of the risk management framework. This specifically involves assess- 
ment whether the firm has sufficient resources and infrastructure. Notably, the 
FRB states that IRM should separately evaluate the firm’s risk tolerance, which 
the board presumably has already approved,'*' to ensure it appropriately cap- 
tures material risks and aligns with the firm’s strategy and corresponding busi- 
ness activities. IRM should additionally evaluate the risk tolerance to determine 
whether it: 


e addresses risks under normal and stressed conditions and considers 
changes in the risk environment; 

e includes risks associated with the firm’s revenue generation and other 
aspects of risks inherent to the business, such as compliance, IT, and 
cybersecurity; 

e incorporates realistic risk and reward assumptions that, for example, do 
not overestimate expected returns from business activities or underesti- 
mate risks associated with business activities; and 

e guides the firm’s risk-taking and risk mitigation activities. 


IRM should also determine that enterprise-wide risk limits are consistent with the 
firm’s risk tolerance for the firm’s full set of risks. In addition, it should ensure 
assignment of clear, relevant, and current limits to specific risk types, business 
lines, legal entities, jurisdictions, geographical areas, concentrations, and prod- 
ucts or activities that correspond to the firm’s risk profile." Quantitative risk 
limits can relate to earnings, assets, liabilities, capital, or liquidity, among other 
areas. Qualitative limits can relate to other areas such as constraining business in 
a specified country. 
The FRB states that, where possible, risk limits should: 


e consider the range of possible external conditions; 

e consider firm-wide aggregation and interaction of risks; 

* be consistent with the firm’s financial and non-financial resources; and 

e reinforce compliance with regulation and consistency with supervisory 
expectations. 


IRM monitoring should be ongoing. Thus, IRM should update risk limits, par- 
ticularly when the firm’s risk tolerance is updated, its risk profile changes, or 


120 This guidance is found at ibid. 1360-1361. 

121 Several groups in the firm, including IRM, provide input and advice to the board in the 
approval process for the risk tolerance. 

122 The guidance gives several examples, including single counterparty credit exposures and 
funding concentrations. FR, Proposed Guidance on Business Management and Control Functions 
1361. 
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external conditions change. In addition, IRM should identify significant trends 
in risk levels to evaluate whether risk-taking and risk management practices are 
consistent with the firm’s strategic objectives. 


6.3.3.3 IRM: risk identification, measurement, and assessment!” 

IRM should identify and measure current and emerging risks within and across 
business lines, and by legal entity or jurisdiction, as necessary. If quantitative risk 
assessment is difficult, IRM should do so qualitatively. Risk identification and 
assessment should be ongoing to reflect changes in exposures, business activities, 
the broader operating environment, and regulatory expectations. 

IRM should identify risk types! and establish minimum identification and 
measurement standards to ensure consistency across risk types. Standards should 
be dynamic, inclusive, and comprehensive. IRM should obtain access to infor- 
mation about all risk-related exposures and seek input across the firm in risk 
identification while not relying on business line information exclusively. In addi- 
tion, it should aggregate risks across the entire firm and assess them relative to 
the firm’s risk tolerance and assess the likely and potential impact of material or 
critical concentrations of risks. Furthermore, it should assess risks and risk driv- 
ers within and across business lines and risk types. 

IRM should analyze any assumptions related to risk identification, including 
information gaps, uncertainties, and limitations in risk assessments for senior 
management or the board, as appropriate. An example are new products or busi- 
ness lines. In such a case, IRM should acknowledge areas of insufficient infor- 
mation that limit a complete risk assessment and provide a plan to obtain the 
necessary information. 


6.3.3.4 IRM: risk reporting!” 

IRM should provide the board and senior management risk reports accurately, 
concisely, and in a timely manner, conveying material risk data and assess- 
ments and covering current and emerging risks and adherence to risk limits and 
the firm’s ongoing strategic, capital, and liquidity planning processes. Reports 
should enable prompt escalation and remediation and support or influence stra- 
tegic decision making. Such reporting should cover aggregate risks within and 
across business lines. 


6.3.3.5 CRO 

The CRO’s role is to guide IRM to establish and monitor compliance with 
enterprise-wide risk limits, identify and aggregate the firm’s risks, assess the 
firm’s risk positions relative to the parameters of the firm’s risk tolerance, and 
provide relevant risk information to senior management and the board. The CRO 


123 Ibid. 

124 These include credit, market, operational, liquidity, interest rate, legal, compliance, and 
related risks (such AML/BSA). 

125 FR, Proposed Guidance on Business Management and Control Functions 1361-1362. 

126 Ibid. 1359-1360. 
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should escalate issues to senior management and the board when firm-wide, 
risk-specific, or business line activities do not align with the firm’s overall risk 
tolerance. An example is if risk management capacity is insufficient to manage 
risks of a new product line. 

The FRB stresses the importance of the independence, authority, and stature 
of the CRO. The CRO must report directly to the board’s risk committee and the 
CEO in order to promote the IRM’s stature” and independence and must submit 
quarterly reports to the risk committee. The CRO should inform the board if his 
or her stature, independence, and authority are insufficient to provide independ- 
ent assessments of the firm’s risk management framework. Also, the CRO should 
be included in key decisions relating to strategic planning and other areas. To 
ensure independence from the business lines, the CRO should establish clearly 
defined roles, responsibilities, and reporting lines. The CRO should also assess 
whether IRM has appropriate staffing, sufficient authority to identify and esca- 
late material risk management and control deficiencies, and challenge business 
managers when warranted. 


6.3.3.6 Chief audit executive's 

The internal audit function conducts independent assessments of the effective- 
ness of a firm’s IC system and risk management framework. The board should 
appoint a CAE who has sufficient capability, experience, independence, and stat- 
ure to manage the internal audit function’s responsibilities and the authority to 
oversee all internal audit activities. The CAE should report findings and audit- 
related issues to the board’s audit committee and senior management. 


6.3.3.7 Internal controls!” 

The FRB sets forth two principles governing ICs. First, a firm should identify its 
IC system and demonstrate that it is commensurate with the firm’s size, opera- 
tions, activities, risk profile, strategy, and risk tolerance and is consistent with all 
applicable regulation. Business line management, among other parties, is respon- 
sible for developing and maintaining an effective system of ICs. A firm should 
integrate control activities into daily functions of all relevant personnel. The FRB 
guidance lists several categories of ICs.'*° 


127 The guidance defines stature, among other things, as the ability and authority to influence 
decisions and effect change throughout a firm. Ibid. 1359 n. 43. 

128 Ibid. 1360. 

129 Ibid. 1362. 


130 The guidance specifies the following categories: 


e P&Ps that set expectations relating to the firm’s business activities and support functions. 

e P&Ps that establish levels of authority, responsibility, and accountability for overseeing 
and executing the firm’s activities and standards for prudent risk-taking behaviors. 

e Clear assignment of roles and responsibilities and appropriate separation of duties. 

e Physical controls for restricting access to tangible assets. 

e Approvals and dual authorizations for key decisions, transactions, and execution of 
processes. 

e Verifications of transaction details and periodic reconciliations, such as those comparing 
cash flows to account records and statements. 
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Second, a firm should regularly evaluate and test the ICs’ effectiveness using 
a risk-based approach, and monitor their functioning to identify and timely com- 
municate deficiencies. Thus, a firm should have mechanisms to test ICs and iden- 
tify and escalate issues concerning deficiencies. Typically, testing is periodic and 
monitoring is ongoing. A firm should establish management information systems 
(MIS) that track IC weaknesses and escalate serious matters to all appropriate 
parties, including the board. 


6.3.4 Board risk committee requirements for large BHCs'*! 


Dodd-Frank originally required publicly traded BHCs with at least $10 billion 
and less than $50 billion in total consolidated assets to have risk committees and 
an enterprise-wide risk management framework, with more stringent require- 
ments for BHCs at the $50 billion threshold. The Bipartisan Banking Act in 2018 
continued to require FRB rules for $50 billion BHCs and reserved authority for it 
to require risk committees for BHCs with at least $10 billion in total consolidated 
assets. The FRB stated that BHCs in the latter category do not need to comply 
with the risk committee requirements until it has issued a revised rule. This sec- 
tion thus summarizes the rule provisions applicable to BHCs with $50 billion in 
total consolidated assets 


6.3.4.1 Risk committees of BHCs with $50 billion or more in total 

consolidated assets 
BHCs must maintain a risk committee that approves and periodically reviews the 
risk management policies of its global operations and oversees the operation of 
its global risk management framework. Such a framework must correspond to the 
firm’s size, risk profile, and complexity and, at a minimum, include the following 
components: "°? 


e Policies and procedures. P&Ps are required for risk management gov- 
ernance, procedures, and infrastructure for global operations. 

e Processes and systems. These facilitate implementing and monitoring 
compliance with the aforesaid P&Ps. 

e Risk committees responsibility. The committee must include liquidity 
risk management as per the liquidity rule’s specifications. '** 


e Access controls, change management controls, data entry controls, and related controls. 
¢ Escalation procedures with a system of checks and balances in situations allowing for 
managerial or employee discretion. Ibid. 


131 This section covers only requirements for US BHCs. Separate requirements apply for FBOs. 

132 12 CFR § 252.33. 

133 Such ‘processes and systems’ must identify and report risks and risk management deficien- 
cies, establish managerial and employee responsibility for risk management, ensure independence of 
the risk management function, and integrate risk management and associated controls with manage- 
ment goals and compensation structures for global operations. 12 CFR § 252.33(a)(2)(i)—(i1). 

134 The BHC’s board, among other things, must annually approve an acceptable level of liquidity 
risk and at least semi-annually determine if the BHC is operating within its liquidity risk tolerance. 
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e Corporate governance requirements. The committee must be an inde- 
pendent board committee with sole, exclusive responsibility for IRM 
policies for global operations and oversight of the global risk manage- 
ment framework, report directly to the BHC’s board, and receive and 
review quarterly reports from the BHC CRO. The committee must have 
a board-approved formal, written charter, and quarterly meetings with 
fully documented proceedings. 

e Member requirements. At least one member must have experience in 
identifying, assessing, and managing risk exposures of large, complex 
firms. The chair must be an independent director. "5 


6.3.5 Regulatory expectations for risk data aggregation and risk reporting 


The BCBS has issued guidelines concerning risk data aggregation and risk 
reporting for large banking organizations that the US banking agencies have 
yet to implement. Nevertheless, these guidelines form an important source 
of regulatory expectations for internationally active banking firms. US reg- 
ulatory expectations for BHCs and intermediate holding companies (IHCs) 
of FBOs'** regarding stress testing and living wills are consistent with these 
BCBS principles. This section covers the most important aspects of these 
guidelines. 


6.3.5.1 BCBS 239 

The BCBS issued 14 principles, known as BCBS 239, on data aggregation and 
risk reporting in 2013. It noted that a key lesson of the GFC was the inability of 
management of large, complex financial institutions to obtain timely, material 
information on the risk exposures throughout their firms.” Timothy Geithner 
had flagged a warning in a similar vein in 2005.'** Shortcomings in data aggrega- 
tion likely materially contributed to risk management deficiencies highlighted in 
this chapter during Phase I that preceded the crisis." Leading up to and during 


The rule provides in granular detail the parameters of required liquidity risk management pertaining 
to contingency planning and event management, risk limits, testing, and types of acceptable collateral 
for counterparties. 12 CFR § 252.34. 

135 UK and EU regulators focus more on the composition of the risk committee as a whole. 
The EBA requires members with ‘appropriate knowledge, skills, and experience concerning risk 
management and control practices’. Steve Marlin, ‘Bank risk committees: desperately seeking risk 
managers’, Risk.net (27 June 2018). Members’ skill set can include an understanding of non-financial 
risks such as geopolitical, reputational, and cyber risk. Ibid. 

136 Foreign banking organizations are required to form IHCs in order to operate in the US. 

137 Basel Committee on Banking Supervision, ‘Principles for effective risk data aggregation and 
risk reporting’ 1 (January 2013) [BCBS, Risk data aggregation]. 

138 Timothy Geithner, FRBNY president at the time, stated that most firms faced considerable 
challenges in aggregating exposures across the firm, capturing exposure concentrations in credit and 
other risks, and conducting stress tests and scenario analysis on a fully integrated bases to gauge 
exposures generated across an increasingly diverse array of activities. Timothy Geithner, ‘Risk man- 
agement challenges in the US financial system’, Speech before the Global Association of Risk Pro- 
fessionals (28 February 2006), at <www.bis.org/review/r060303a.pdf>. 

139 § 6.2.5. 
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the GFC many banks lacked the ability to aggregate risk exposures and identify 
concentration quickly and accurately at the BHC level, across business lines, and 
between legally separate entities. This significantly undermined their ability to 
conduct risk management, with systemic risk ramifications.'*° 

BCBS 239’s ultimate objective is to ensure that banks have a strong gov- 
ernance framework, risk data architecture, and IT infrastructure.'*! ‘Risk data 
aggregation’ involves defining, gathering, and processing risk data according to a 
bank’s risk reporting requirements to enable it to measure its performance against 
its risk appetite.’ In this regard, IT systems are of paramount importance to 
achieve compliance with BCBS 239. Banks need IT and data aggregation capa- 
bilities to support firm-wide management of risks. 

Aggregated risk reporting is a key need for regulators to identify emerging 
systemic risks. Improving banks’ risk data aggregation capabilities also improves 
resolvability, such as finding merger partners, often an eleventh-hour but prefer- 
able solution to insolvency during a market crisis. National resolution authorities 
should have access to this information for G-SIBS.'* The FSB has launched several 
initiatives to improve data aggregation and reporting for regulatory purposes." 


6.3.5.2 Progress in compliance with regulatory expectations under BCBS 239 
Progress in BCBS 239 compliance has been uneven. The BCBS noted in a 
2017 assessment that most banks had made, at best, marginal progress in 
implementation of BCBS 239, with only three of the 30 G-SIBs achieving 
full compliance.'** In the US, the CCAR and DFAST stress testing, which are 
data intensive exercises, and living will programs have led the large BHCs to 
devote considerable resources to enhancements in data governance and report- 
ing, which should bring US banking organizations closer to BCBS 239 expec- 
tations. A core CCAR requirement includes ICs to ensure reliable data and 
information systems. However, as the 2018 CCAR results show, progress has 
not been smooth.'*° 


140 BCBS, Risk data aggregation 1. 

141 Ibid. 6. A banking group’s structure should not hinder consolidated data risk aggregation at 
any level. Ibid. 7. 

142 Ibid. 1-2. 

143 Ibid. 1. Moreover, such capability results in efficiency gains, reduced probability of losses, 
enhanced strategic decision making, and ultimately increased profitability. Ibid. 

144 These include a Legal Entity Identifier system and a common data template for G-SIFIs to 
address key information gaps identified during the GFC, such as OTC bilateral exposures and expo- 
sures to countries, sectors, and instruments. Ibid. 2. 

145 Basel Committee on Banking Supervision, ‘Progress in adopting the principles for effective 
risk data aggregation and risk reporting’ (21 June 2018) 4. 

146 The FRB objected to a foreign bank’s capital plan due, in part, to material weaknesses in 
data capabilities and controls. Federal Reserve Board, ‘Comprehensive Capital Analysis and Review 
2018: Assessment Framework and Results’ (June 2018) 24. More generally, certain firms fell short of 
regulatory expectations in data and IT infrastructure. Ibid. 3. 
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6.3.6 Supervisory regime for LISCC firms and other large, complex BHCs 


The FRB established the LISCC in 2010 to coordinate supervisory oversight of 
SIFIs. LISCC firms are the largest BHCs and FSOC-designated non-banks.'*’ 
There were 12 LISCC firms as of 9 November 2018. To put this number in per- 
spective, 35 BHCs participated in the CCAR 2018 program. As necessary, the 
LISCC takes action to increase the financial and operational resiliency of SIFIs 
in order to reduce the potential of their material financial distress or failure. To 
achieve these objectives, the LISCC develops both micro- and macro-prudential 
views of LISCC firms, using multidisciplinary input from the Federal Reserve 
Banks. This input includes feedback from supervisors, economists, payments 
system experts, and market analysts; information from horizontal examinations, 
stress testing, and scenario analysis; and increased collection and use of consist- 
ently and timely reported firm-specific data.'** 


6.3.6.1 CCAR, CLAR, and SRP components of LISCC program 

The Federal Reserve has four priority areas in supervising LISCC firms: capital 
adequacy and capital planning; liquidity sufficiency and resiliency; corporate gov- 
ernance; and recovery and resolution planning. The LISCC operating committee 
oversees the execution of the three horizontal exercises involving LISCC firms and 
directs resources toward these priorities: the CCAR, the Comprehensive Liquid- 
ity Analysis and Review (CLAR), and the Supervisory Assessment of Recovery 
and Resolution Preparedness (SRP). Chapter 7 discusses the CCAR program in 
detail. The CLAR is the Federal Reserve’s annual, horizontal, forward-looking 
program to evaluate LISCC firms’ liquidity position and liquidity risk manage- 
ment practices. The SRP is the Federal Reserve’s annual horizontal review of 
LISCC firms’ progress in removing impediments to orderly resolution. This SRP 
review is an additional layer of oversight over the ‘living will’ program. 


6.4 Conclusion 


Global regulators have developed a comprehensive program that tackles sys- 
temic risk on multiple fronts. This chapter has focused on the lessons learned 
in Phase I that preceded the GFC regarding the deficiencies in risk management 
and corporate governance practices that contributed to the ensuing liquidity and 
credit crisis. Those firms that performed relatively well had reduced their expo- 
sure to subprime mortgage assets or limited their entry into that market in the 
first instance. 


147 FRB, ‘SR 12-17: Consolidated Supervision Framework for Large Financial Institutions’ (17 
December 2012). The Federal Reserve designates LISCC BHCs based on size, interconnectedness, 
lack of available substitutes for services they provide, and cross-border activities. As of Decem- 
ber 31, 2018, there were no non-bank financial institutions designated by FSOC as SIFIs. 

148 Federal Reserve Board, ‘SR 15-7: Governance Structure of the LISCC Supervisory Program’ 
(17 April 2015) 2. 

149 § 7.4.2. 


191 


BANK REGULATION AND INTERNAL GOVERNANCE 


The SSG identified certain governance processes and risk controls of these 
better performing firms. The guidance on boards, management, and risk manage- 
ment subsequently issued by the FRB and BCBS largely mirror these firms’ risk 
management practices. These firms’ internal governance mechanisms ensured 
that information relating to problems on the ground level moved promptly and 
effectively across business lines and up to the senior management. They gener- 
ated asset valuations using a variety of internal and external sources and applied 
these valuations consistently across the firm. They imposed economic capital 
charges on business lines, reflecting a genuine attempt to incorporate the under- 
lying fat-tail risks of a given banking or trading book exposure into their risk 
management framework and within their risk appetite. These internal processes 
allowed these firms not only to gather critically relevant information on a firm- 
wide basis but to act promptly to change strategic direction before risks became 
an existential threat to their franchise. 
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